Stratigos Security became aware of a vulnerability in the Bambuser mobile application and reported the issue to Bambuser on August 10, 2012. Bambuser quickly responded, provided estimated timeline for the fix and notified Stratigos Security when the updated version was published. Stratigos Security has confirmed that this vulnerability has been fixed in the updated version.

Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.

To exploit the weakness in the in-app purchase, only two primary steps are required. First, an additional SSL certificate is installed on the device itself, which involves downloading the file and a couple of screen taps. The second and more difficult part requires control over the local network to create a custom DNS entry. (Stratigos Security researchers are looking at a way to simplify this.) When the iOS app then attempts to connect to Apple’s servers to make the purchase, the connection is redirected to a different server which provides a fraudulent authorization, which unlocks the in-game content. this poses a clear threat to Apple’s and game makers’ revenue.

But this could pose a risk to phone owners as well. If the app update mechanism or any other communication goes through this third-party server, it opens the possibility of introducing malicious code to the device. This is similar to other man-in-the-middle attacks facilitated by tools such as The Middler and Evilgrade. So device owners should consider these risks before carrying out these procedures.

At this time it is not yet possible to validate the Russian site’s story because the servers enabling it have been under heavy load and have apparently at least one has been taken down by the hosting provider from an Apple legal request. However, Stratigos Security researchers are working to independently confirm the issue in our lab.

UPDATE: Macworld reports that both username and password are sent in plaintext to the server. This means that the server, or any attacker who successfully executes a man-in-the-middle-attack can access the victim’s credentials. These credentials are not just valid at the iOS App Store, but typically across multiple Apple properties and usually many others, due to password reuse. Instead, Apple should be protecting credentials on the device and sending the hash to the servers.